Security Test: Directive overloading¶
Description¶
Directive Overloading occurs when a user can send a query with many consecutive directives and overload the engine handling those directives.
Remediation¶
Limit the number of directives allowed in a query. This should be handled by the GraphQL engine while parsing the document, otherwise this can lead to a heap overflow.
GraphQL Specific¶
Apollo
Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our [GraphQL Armor](https://escape.tech/graphql-armor/docs/getting-started) middleware to limit the number of directives allowed in a query.Awsappsync
To mitigate the risk of directive overloading in AWS AppSync, ensure that your GraphQL schema is designed with clear and specific directives. Limit the number of directives that can be applied to a single field, and validate the schema to prevent conflicts. Implement authorization checks within your resolver logic to ensure that directives are not misused to access or modify data beyond the intended scope. Regularly review your schema and resolvers for potential overloading issues and update your security practices accordingly.Graphqlgo
In the context of the GraphQL Go framework, to prevent issues such as directive overloading, it is recommended to implement strict schema validation. Ensure that the GraphQL schema is defined with clear and specific directives, and use schema validation hooks provided by the framework to enforce constraints on directive usage. Additionally, consider using a linter or other static analysis tools to catch potential misuse of directives during the development process. Regularly review and update your schema and validation logic to keep up with evolving application requirements and security best practices.Graphqlruby
In the GraphQL Ruby framework, avoid directive overloading by ensuring that each directive is used for its intended purpose and is not overloaded with multiple meanings or functionalities. Define clear and concise directives, and if complex logic is required, consider implementing it within the resolver functions or using middleware. This approach helps maintain the clarity and maintainability of the GraphQL schema and prevents potential conflicts or unexpected behaviors in the API.Hasura
To prevent directive overloading in Hasura, ensure that custom directives are clearly defined and adhere to strict naming conventions to avoid conflicts with existing Hasura directives. Regularly review and update security policies to control access to directive definitions and apply schema validation to detect and mitigate any potential overloading attempts. Additionally, use role-based access control to limit who can modify the GraphQL schema and directives.Agoo
Implement rate limiting and validation checks to prevent excessive directive processing in the Agoo framework engine.Ariadne
Implement rate limiting and validation checks to prevent excessive directive processing in the Ariadne framework engine.Caliban
Implement rate limiting and validation checks to prevent excessive directive processing in the Caliban framework engine.Dgraph
Implement rate limiting and validation checks to prevent excessive consecutive directives in queries to the Dgraph engine.Dianajl
Implement rate limiting and validation checks to prevent excessive directive processing in the dianajl framework engine.Directus
Implement rate limiting and validation checks to prevent excessive directive processing in the Directus framework engine.Flutter
Implement rate limiting and input validation to prevent excessive directive processing in the Flutter framework engine.Graphene
Implement rate limiting and validation checks to prevent excessive directive processing in the Graphene framework engine.Graphqlapiforwp
Implement rate limiting and validation checks to prevent excessive directive usage in GraphQL queries within the graphqlapiforwp framework.Graphqlgophergo
Implement rate limiting and validation checks to prevent excessive directive usage in GraphQL queries.Graphqljava
Implement rate limiting and validation checks to prevent excessive directive usage in GraphQL queries.Graphqlphp
Implement rate limiting and validation to prevent excessive directive usage in GraphQL queries.Graphqlyoga
Upgrade to GraphQL>=16.0.0 if you are not already up to date. You can also use our [GraphQL Armor](https://escape.tech/graphql-armor/docs/getting-started) middleware to limit the number of directives allowed in a query.Hypergraphql
Implement rate limiting and validation checks to prevent excessive directive usage in HyperGraphQL queries.Jaal
Implement rate limiting and validation checks to prevent excessive directive processing in the Jaal framework engine.Juniper
Implement rate limiting and validation checks to prevent excessive directive processing in the Juniper framework engine.Lacinia
Implement rate limiting and validation checks to prevent excessive directive usage in Lacinia framework queries.Lighthouse
Implement rate limiting and validation checks to prevent excessive directive processing in the Lighthouse framework engine.Mercurius
Implement rate limiting and validation checks to prevent excessive directive usage in Mercurius framework queries.Morpheusgraphql
Implement rate limiting and validation checks to prevent excessive directive usage in MorpheusGraphQL queries.Qglgen
Implement rate limiting and validation checks to prevent excessive directive processing in the gqlgen framework engine.Sangria
Implement rate limiting and validation checks to prevent excessive directive usage in the Sangria framework engine.Shopify
Implement rate limiting and validation checks to prevent excessive directive processing in the Shopify framework engine.Stepzen
Implement rate limiting and validation checks to prevent excessive directive usage in StepZen queries.Strawberry
Implement rate limiting and validation checks to prevent excessive directive processing in the Strawberry framework engine.Tartiflette
Implement rate limiting and validation checks to prevent excessive directive usage in Tartiflette framework queries.Wpgraphql
Implement rate limiting and input validation to prevent excessive directive processing in the WPGraphQL framework.Configuration¶
Identifier:
resource_limitation/graphql_directive_overload
Options¶
- threshold : Maximum number of directives allowed before raising an alert in the fast check.
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API8:2023
- OWASP LLM: LLM04:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC1
- psd2: Article-95
- iso27001: A.14.2
- nist: SP800-53
- fedramp: AC-2
Classification¶
- CWE: 400
Score¶
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:R
- CVSS_SCORE: 6.9